Module: Msf::Exploit::Remote::SMB::Client

Includes:
NTLM::Client, Tcp
Included in:
Authenticated, PipeAuditor
Defined in:
lib/msf/core/exploit/smb/client.rb

Overview

This mixin provides utility methods for interacting with a SMB/CIFS service on a remote machine. These methods may generally be useful in the context of exploitation. This mixin extends the Tcp exploit mixin. Only one SMB service can be accessed at a time using this class.

Defined Under Namespace

Modules: Authenticated, LocalPaths, PipeAuditor, Psexec, Psexec_MS17_010, RemotePaths, WebExec

Constant Summary collapse

SIMPLE =

These constants are unused here, but may be used in some code that includes this. Local definitions should be preferred.

Rex::Proto::SMB::SimpleClient
XCEPT =
Rex::Proto::SMB::Exceptions
CONST =
Rex::Proto::SMB::Constants
DCERPCPacket =

Alias over the Rex DCERPC protocol modules

Rex::Proto::DCERPC::Packet
DCERPCClient =
Rex::Proto::DCERPC::Client
DCERPCResponse =
Rex::Proto::DCERPC::Response
DCERPCUUID =
Rex::Proto::DCERPC::UUID
NDR =
Rex::Encoder::NDR

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#simpleRex::Proto::SMB::SimpleClient


872
873
874
# File 'lib/msf/core/exploit/smb/client.rb', line 872

def simple
  @simple
end

Instance Method Details

#connect(global = true, versions: []) ⇒ Object

Override Tcp#connect to setup an SMB connection and configure evasion options

Also populates #simple.


100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/msf/core/exploit/smb/client.rb', line 100

def connect(global=true, versions: [])
  if versions.nil? || versions.empty?
    versions = datastore['SMB::ProtocolVersion'].split(',').map(&:to_i)
  end

  disconnect() if global

  s = super(global)
  self.sock = s if global

  # Disable direct SMB when SMBDirect has not been set
  # and the destination port is configured as 139
  direct = smb_direct
  if(datastore.default?('SMBDirect') and rport.to_i == 139)
    direct = false
  end

  c = Rex::Proto::SMB::SimpleClient.new(s, direct, versions, always_encrypt: datastore['SMB::AlwaysEncrypt'])

  # setup pipe evasion foo
  if datastore['SMB::pipe_evasion']
    # XXX - insert code to change the instance of the read/write functions to do segmentation
  end

  if (datastore['SMB::pad_data_level'])
    c.client.evasion_opts['pad_data'] = datastore['SMB::pad_data_level']
  end

  if (datastore['SMB::pad_file_level'])
    c.client.evasion_opts['pad_file'] = datastore['SMB::pad_file_level']
  end

  if (datastore['SMB::obscure_trans_pipe_level'])
    c.client.evasion_opts['obscure_trans_pipe'] = datastore['SMB::obscure_trans_pipe_level']
  end

  self.simple = c if global
  c
end

#domainObject


208
209
210
# File 'lib/msf/core/exploit/smb/client.rb', line 208

def domain
  datastore['SMBDomain']
end

#domain_username_split(user) ⇒ Object

If the username contains a / slash, then split it as a domain/username. NOTE: this is predicated on forward slashes, and not Microsoft's backwards slash convention.


224
225
226
227
228
229
230
231
# File 'lib/msf/core/exploit/smb/client.rb', line 224

def domain_username_split(user)
  return user if(user.nil? || user.empty?)
  if !user[/\//] # Only /, not \!
    return [nil,user]
  else
    return user.split("/",2)
  end
end

#initialize(info = {}) ⇒ Object


32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# File 'lib/msf/core/exploit/smb/client.rb', line 32

def initialize(info = {})
  super

  register_evasion_options(
  [
    OptBool.new('SMB::pipe_evasion',     [ true, 'Enable segmented read/writes for SMB Pipes', false]),
    OptInt.new('SMB::pipe_write_min_size', [ true, 'Minimum buffer size for pipe writes',  1]),
    OptInt.new('SMB::pipe_write_max_size', [ true, 'Maximum buffer size for pipe writes', 1024]),
    OptInt.new('SMB::pipe_read_min_size',  [ true, 'Minimum buffer size for pipe reads',  1]),
    OptInt.new('SMB::pipe_read_max_size',  [ true, 'Maximum buffer size for pipe reads', 1024]),
    OptInt.new('SMB::pad_data_level',  [ true, 'Place extra padding between headers and data (level 0-3)', 0]),
    OptInt.new('SMB::pad_file_level',  [ true, 'Obscure path names used in open/create (level 0-3)', 0]),
    OptInt.new('SMB::obscure_trans_pipe_level',  [ true, 'Obscure PIPE string in TransNamedPipe (level 0-3)', 0]),

  ], Msf::Exploit::Remote::SMB::Client)

  register_advanced_options(
  [
    OptBool.new('SMBDirect', [ false, 'The target port is a raw SMB service (not NetBIOS)', true ]),
    OptString.new('SMBUser', [ false, 'The username to authenticate as', '']),
    OptString.new('SMBPass', [ false, 'The password for the specified username', '']),
    OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.']),
    OptString.new('SMBName', [ true, 'The NetBIOS hostname (required for port 139 connections)', '*SMBSERVER']),
    OptBool.new('SMB::VerifySignature', [ true, "Enforces client-side verification of server response signatures", false]),
    OptInt.new('SMB::ChunkSize', [ true, 'The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing', 500]),
    #
    # Control the identified operating system of the client
    #
    OptString.new('SMB::Native_OS', [ true, 'The Native OS to send during authentication', 'Windows 2000 2195']),
    OptString.new('SMB::Native_LM', [ true, 'The Native LM to send during authentication', 'Windows 2000 5.0']),
    OptString.new(
      'SMB::ProtocolVersion',
      [
        true,
        'One or a list of coma-separated SMB protocol versions to '\
        'negotiate (e.g. "1" or "1,2" or "2,3,1")', '1,2,3'
      ],
      regex: '^[123](?:,[123])*$'
    ),
    OptBool.new(
      'SMB::AlwaysEncrypt',
      [
        true,
        'Enforces encryption even if the server does not require it (SMB3.x only). '\
        'Note that when it is set to false, the SMB client will still '\
        'encrypt the communication if the server requires it',
        true
      ]
    )
  ], Msf::Exploit::Remote::SMB::Client)

  register_options(
  [
    Opt::RHOST,
    OptPort.new('RPORT', [ true, 'The SMB service port', 445])
  ], Msf::Exploit::Remote::SMB::Client)

  register_autofilter_ports([ 139, 445])
  register_autofilter_services(%W{ netbios-ssn microsoft-ds })
end

#smb_create(pipe) ⇒ Object

This method opens a handle to an IPC pipe


189
190
191
# File 'lib/msf/core/exploit/smb/client.rb', line 189

def smb_create(pipe)
  self.simple.create_pipe(pipe)
end

#smb_directObject


204
205
206
# File 'lib/msf/core/exploit/smb/client.rb', line 204

def smb_direct
  datastore['SMBDirect']
end

#smb_enumprinters(flags, name, level, blen) ⇒ Object

Calls the EnumPrinters() function of the spooler service


293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
# File 'lib/msf/core/exploit/smb/client.rb', line 293

def smb_enumprinters(flags, name, level, blen)
  stub =
    NDR.long(flags) +
    (name ? NDR.uwstring(name) : NDR.long(0)) +
    NDR.long(level) +
    NDR.long(rand(0xffffffff)+1)+
    NDR.long(blen) +
    "\x00" * blen +
    NDR.long(blen)

  handle = dcerpc_handle(
    '12345678-1234-abcd-ef00-0123456789ab', '1.0',
    'ncacn_np', ["\\SPOOLSS"]
  )

  begin
    dcerpc_bind(handle)
    dcerpc.call(0x00, stub)
    return dcerpc.last_response.stub_data
  rescue ::Interrupt
    raise $!
  rescue ::Exception => e
    return nil
  end
end

#smb_enumprintprovidersObject

This method dumps the print provider strings from the spooler


320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# File 'lib/msf/core/exploit/smb/client.rb', line 320

def smb_enumprintproviders
  resp = smb_enumprinters(8, nil, 1, 0)
  return nil if not resp
  rptr, tmp, blen = resp.unpack("V*")

  resp = smb_enumprinters(8, nil, 1, blen)
  return nil if not resp

  bcnt,pcnt,stat = resp[-12, 12].unpack("VVV")
  return nil if stat != 0
  return nil if pcnt == 0
  return nil if bcnt > blen
  return nil if pcnt < 3

  #
  # The correct way, which leads to invalid offsets :-(
  #
  #providers = []
  #
  #0.upto(pcnt-1) do |i|
  # flags,desc_o,name_o,comm_o = resp[8 + (i*16), 16].unpack("VVVV")
  #
  # #desc = read_unicode(resp,8+desc_o).gsub("\x00", '')
  # #name = read_unicode(resp,8+name_o).gsub("\x00", '')
  # #comm = read_unicode(resp,8+comm_o).gsub("\x00", '')
  # #providers << [flags,desc,name,comm]
  #end
  #
  #providers

  return resp

end

#smb_file_exist?(file) ⇒ Boolean

Whether a remote file exists

Parameters:

  • file (String)

    Path to a file to remove, relative to the most-recently connected share

Returns:

  • (Boolean)

Raises:


247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
# File 'lib/msf/core/exploit/smb/client.rb', line 247

def smb_file_exist?(file)
  begin
    fd = simple.open(file, 'o')
  rescue RubySMB::Error::UnexpectedStatusCode => e
    found = false
  rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
    # If attempting to open the file results in a "*_NOT_FOUND" error,
    # then we can be sure the file is not there.
    #
    # Copy-pasted from smb/exceptions.rb to avoid the gymnastics
    # required to pull them out of a giant inverted hash
    #
    # 0xC0000034 => "STATUS_OBJECT_NAME_NOT_FOUND",
    # 0xC000003A => "STATUS_OBJECT_PATH_NOT_FOUND",
    # 0xC0000225 => "STATUS_NOT_FOUND",
    error_is_not_found = [ 0xC0000034, 0xC000003A, 0xC0000225 ].include?(e.error_code)
    # If the server returns some other error, then there was a
    # permissions problem or some other difficulty that we can't
    # really account for and hope the caller can deal with it.
    raise e unless error_is_not_found
    found = !error_is_not_found
  else
    # There was no exception, so we know the file is openable
    fd.close
    found = true
  end

  found
end

#smb_file_rm(file) ⇒ void

This method returns an undefined value.

Remove remote file

Parameters:

  • file (String)

    Path to a file to remove, relative to the most-recently connected share


281
282
283
284
# File 'lib/msf/core/exploit/smb/client.rb', line 281

def smb_file_rm(file)
  fd = smb_open(file, 'ro')
  fd.delete
end

#smb_fingerprintObject

This method performs an extensive set of fingerprinting operations


355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
# File 'lib/msf/core/exploit/smb/client.rb', line 355

def smb_fingerprint
  fprint = {}

  # Connect to the server if needed
  if not self.simple
    # native_lm/native_os is only available with SMB1
    vprint_status('Force SMB1 since SMB fingerprint needs native_lm/native_os information')
    connect(versions: [1])
    # The login method can throw any number of exceptions, we don't
    # care since we still get the native_lm/native_os.
    begin
      ()
    rescue ::Rex::Proto::SMB::Exceptions::NoReply,
           ::Rex::Proto::SMB::Exceptions::ErrorCode,
           ::Rex::Proto::SMB::Exceptions::LoginError => e
      dlog("Error with SMB fingerprint: #{e.message}")
    end
  end

  fprint['native_os'] = smb_peer_os()
  fprint['native_lm'] = smb_peer_lm()

  # Leverage Recog for SMB native OS fingerprinting
  fp_match = Recog::Nizer.match('smb.native_os', fprint['native_os']) || { }

  os = fp_match['os.product'] || 'Unknown'
  sp = fp_match['os.version'] || ''

  # Metasploit prefers 'Windows 2003' vs 'Windows Server 2003'
  if os =~ /^Windows Server/
    os = os.sub(/^Windows Server/, 'Windows')
  end

  if fp_match['os.edition']
    fprint['edition'] = fp_match['os.edition']
  end

  if fp_match['os.build']
    fprint['build'] = fp_match['os.build']
  end

  if sp == ''
    sp = smb_fingerprint_windows_sp(os)
  end

  lang = smb_fingerprint_windows_lang

  fprint['os']   = os
  fprint['sp']   = sp
  fprint['lang'] = lang

  fprint
end

#smb_fingerprint_windows_langObject

Determine the native language pack of a Windows system via SMB probes


517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
# File 'lib/msf/core/exploit/smb/client.rb', line 517

def smb_fingerprint_windows_lang

  #
  # Remote language detection via Print Providers
  # Credit: http://immunityinc.com/downloads/Remote_Language_Detection_in_Immunity_CANVAS.odt
  #

  lang = 'Unknown'

  sigs =
  {
    'English' =>
      [
        Rex::Text.to_unicode('Windows NT Remote Printers'),
        Rex::Text.to_unicode('LanMan Print Services')
      ],
    'Spanish' =>
      [
        Rex::Text.to_unicode('Impresoras remotas Windows NT'),
        Rex::Text.to_unicode('Impresoras remotas de Windows NT')
      ],
    'Italian' =>
      [
        Rex::Text.to_unicode('Stampanti remote di Windows NT'),
        Rex::Text.to_unicode('Servizi di stampa LanMan')
      ],
    'French' =>
      [
        Rex::Text.to_unicode('Imprimantes distantes NT'),
        Rex::Text.to_unicode('Imprimantes distantes pour Windows NT'),
        Rex::Text.to_unicode("Services d'impression LanMan")
      ],
    'German' =>
      [
        Rex::Text.to_unicode('Remotedrucker')
      ],
    'Portuguese - Brazilian' =>
      [
        Rex::Text.to_unicode('Impr. remotas Windows NT'),
        Rex::Text.to_unicode('Impressoras remotas do Windows NT')
      ],
    'Portuguese' =>
      [
        Rex::Text.to_unicode('Imp. remotas do Windows NT')
      ],
    'Hungarian' =>
      [
        Rex::Text.to_unicode("\x54\xe1\x76\x6f\x6c\x69\x20\x6e\x79\x6f\x6d\x74\x61\x74\xf3\x6b")
      ],
    'Finnish' =>
      [
        Rex::Text.to_unicode("\x45\x74\xe4\x74\x75\x6c\x6f\x73\x74\x69\x6d\x65\x74")
      ],
    'Dutch' =>
      [
        Rex::Text.to_unicode('Externe printers voor NT')
      ],
    'Danish' =>
      [
        Rex::Text.to_unicode('Fjernprintere')
      ],
    'Swedish' =>
      [
        Rex::Text.to_unicode("\x46\x6a\xe4\x72\x72\x73\x6b\x72\x69\x76\x61\x72\x65")
      ],
    'Polish' =>
      [
        Rex::Text.to_unicode('Zdalne drukarki')
      ],
    'Czech'   =>
      [
        Rex::Text.to_unicode("\x56\x7a\x64\xe1\x6c\x65\x6e\xe9\x20\x74\x69\x73\x6b\xe1\x72\x6e\x79")
      ],
    'Turkish' =>
      [
        "\x59\x00\x61\x00\x7a\x00\x31\x01\x63\x00\x31\x01\x6c\x00\x61\x00\x72\x00"
      ],
    'Japanese' =>
      [
        "\xea\x30\xe2\x30\xfc\x30\xc8\x30\x20\x00\xd7\x30\xea\x30\xf3\x30\xbf\x30"
      ],
    'Chinese - Traditional' =>
      [
        "\xdc\x8f\x0b\x7a\x53\x62\x70\x53\x3a\x67"
      ],
    'Chinese - Traditional / Taiwan' =>
      [
        "\x60\x90\xef\x7a\x70\x53\x68\x88\x5f\x6a",
      ],
    'Korean' =>
      [
        "\xd0\xc6\xa9\xac\x20\x00\x04\xd5\xb0\xb9\x30\xd1",
      ],
    'Russian' =>
      [
        "\x1f\x04\x40\x04\x38\x04\x3d\x04\x42\x04\x35\x04\x40\x04\x4b\x04\x20\x00\x43\x04\x34\x04\x30\x04\x3b\x04\x35\x04\x3d\x04\x3d\x04\x3e\x04\x33\x04\x3e\x04\x20\x00\x34\x04\x3e\x04\x41\x04\x42\x04\x43\x04\x3f\x04\x30\x04",
      ],

  }

  begin
    prov = smb_enumprintproviders()
    if(prov)
      sigs.each_key do |k|
        sigs[k].each do |s|
          if(prov.index(s))
            lang = k
            break
          end
          break if lang != 'Unknown'
        end
        break if lang != 'Unknown'
      end

      if(lang == 'Unknown')

        @fpcache ||= {}
        mhash = ::Digest::MD5.hexdigest(prov[4,prov.length-4])

        if(not @fpcache[mhash])

          buff = "\n"
          buff << "*** NEW FINGERPRINT: PLEASE SEND TO [ msfdev[at]metasploit.com ]\n"
          buff << " VERS: $Revision$\n"
          buff << " HOST: #{rhost}\n"
          buff << "   OS: #{os}\n"
          buff << "   SP: #{sp}\n"

          prov.unpack("H*")[0].scan(/.{64}|.*/).each do |line|
            next if line.length == 0
            buff << "   FP: #{line}\n"
          end

          prov.split(/\x00\x00+/n).each do |line|
            line.gsub!("\x00",'')
            line.strip!
            next if line.length < 6

            buff <<  "  TXT: #{line}\n"
          end

          buff << "*** END FINGERPRINT\n"

          print_line(buff)

          @fpcache[mhash] = true
        end

      end
    end
  rescue ::Interrupt
    raise $!
  rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
  end
  lang
end

#smb_fingerprint_windows_sp(os) ⇒ Object

Determine the service pack level of a Windows system via SMB probes


412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
# File 'lib/msf/core/exploit/smb/client.rb', line 412

def smb_fingerprint_windows_sp(os)
  sp = ''

  if (os == 'Windows XP')
    # SRVSVC was blocked in SP2
    begin
      smb_create("\\SRVSVC")
      sp = 'Service Pack 0 / 1'
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
      if (e.error_code == 0xc0000022)
        sp = 'Service Pack 2+'
      end
    end
  end

  if (os == 'Windows 2000' and sp.length == 0)
    # LLSRPC was blocked in a post-SP4 update
    begin
      smb_create("\\LLSRPC")
      sp = 'Service Pack 0 - 4'
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
      if (e.error_code == 0xc0000022)
        sp = 'Service Pack 4 with MS05-010+'
      end
    end
  end

  #
  # Perform granular XP SP checks if LSARPC is exposed
  #
  if (os == 'Windows XP')

    #
    # Service Pack 2 added a range(0,64000) to opnum 0x22 in SRVSVC
    # Credit to spoonm for first use of unbounded [out] buffers
    #
    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\BROWSER"]
    )

    begin
      dcerpc_bind(handle)

      stub =
        NDR.uwstring(Rex::Text.rand_text_alpha(rand(10)+1)) +
        NDR.wstring(Rex::Text.rand_text_alpha(rand(10)+1))  +
        NDR.long(64001) +
        NDR.long(0) +
        NDR.long(0)

      dcerpc.call(0x22, stub)
      sp = "Service Pack 0 / 1"

    rescue ::Interrupt
      raise $!
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
    rescue ::Rex::Proto::SMB::Exceptions::ReadPacket
    rescue ::Rex::Proto::DCERPC::Exceptions::Fault
      sp = "Service Pack 2+"
    rescue ::Exception
    end


    #
    # Service Pack 3 fixed information leaks via [unique][out] pointers
    # Call SRVSVC::NetRemoteTOD() to return [out] [ref] [unique]
    # Credit:
    #   Pointer leak is well known, but Immunity also covered in a paper
    #   Silent fix of pointer leak in SP3 and detection method by Rhys Kidd
    #
    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\BROWSER"]
    )

    begin
      dcerpc_bind(handle)

      stub = NDR.uwstring(Rex::Text.rand_text_alpha(rand(8)+1))
      resp = dcerpc.call(0x1c, stub)

      if(resp and resp[0,4] == "\x00\x00\x02\x00")
        sp = "Service Pack 3"
      else
        if(resp and sp =~ /Service Pack 2\+/)
          sp = "Service Pack 2"
        end
      end

    rescue ::Interrupt
      raise $!
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
    rescue ::Rex::Proto::SMB::Exceptions::ReadPacket
    rescue ::Exception
    end
  end

  sp
end

#smb_hostnameObject


200
201
202
# File 'lib/msf/core/exploit/smb/client.rb', line 200

def smb_hostname
  datastore['SMBName'] || '*SMBSERVER'
end

#smb_lanman_netshareenumallObject

Retrieve a list of shares via the NetShareEnumAll function in the LANMAN service This method can only return shares with names 12 bytes or less


828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
# File 'lib/msf/core/exploit/smb/client.rb', line 828

def smb_lanman_netshareenumall
  shares = []
  begin
    # XXX: #trans is not supported by RubySMB
    res = self.simple.client.trans(
      "\\PIPE\\LANMAN",
      (
        [0x00].pack('v') +
        "WrLeh\x00"   +
        "B13BWz\x00"  +
        [0x01, 65406].pack("vv")
      ))
  rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
    vprint_error("Could not enumerate shares via LANMAN")
    return []
  end
  if res.nil?
    vprint_error("Could not enumerate shares via LANMAN")
    return []
  end

  lerror, lconv, lentries, lcount = res['Payload'].to_s[
    res['Payload'].v['ParamOffset'],
    res['Payload'].v['ParamCount']
  ].unpack("v4")

  data = res['Payload'].to_s[
    res['Payload'].v['DataOffset'],
    res['Payload'].v['DataCount']
  ]

  0.upto(lentries - 1) do |i|
    sname,tmp = data[(i * 20) +  0, 14].split("\x00")
    stype     = data[(i * 20) + 14, 2].unpack('v')[0]
    scoff     = data[(i * 20) + 16, 2].unpack('v')[0]
    scoff -= lconv if lconv != 0
    scomm,tmp = data[scoff, data.length - scoff].split("\x00")
    shares << [ sname, smb_lookup_share_type(stype), scomm]
  end

  shares
end

#smb_login(simple_client = self.simple) ⇒ void

This method returns an undefined value.

Establishes an SMB session over the default socket and connects to the IPC$ share.

You should call #connect before calling this

Parameters:


152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# File 'lib/msf/core/exploit/smb/client.rb', line 152

def (simple_client = self.simple)
  simple_client.(
    datastore['SMBName'],
    datastore['SMBUser'],
    datastore['SMBPass'],
    datastore['SMBDomain'],
    datastore['SMB::VerifySignature'],
    datastore['NTLM::UseNTLMv2'],
    datastore['NTLM::UseNTLM2_session'],
    datastore['NTLM::SendLM'],
    datastore['NTLM::UseLMKey'],
    datastore['NTLM::SendNTLM'],
    datastore['SMB::Native_OS'],
    datastore['SMB::Native_LM'],
    {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
  )
  # XXX: Any reason to connect to the IPC$ share in this method?
  simple_client.connect("\\\\#{datastore['RHOST']}\\IPC$")
end

#smb_lookup_share_type(val) ⇒ Object

Map an integer share type to a human friendly descriptor


675
676
677
# File 'lib/msf/core/exploit/smb/client.rb', line 675

def smb_lookup_share_type(val)
  [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]
end

#smb_netshareenumallObject

Retreive a list of all shares using any available method


735
736
737
738
739
740
741
742
743
744
# File 'lib/msf/core/exploit/smb/client.rb', line 735

def smb_netshareenumall
  begin
    return smb_srvsvc_netshareenumall
  rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
    vprint_error("Warning: NetShareEnumAll failed via Server Service: #{e}")
    return [] if self.simple.client.is_a?(RubySMB::Client)
    vprint_error("Falling back to LANMAN")
    return smb_lanman_netshareenumall
  end
end

#smb_netsharegetinfo(share) ⇒ Object

Retrieve detailed information about a specific share using any available method


680
681
682
# File 'lib/msf/core/exploit/smb/client.rb', line 680

def smb_netsharegetinfo(share)
 smb_srvsvc_netsharegetinfo(share)
end

#smb_open(path, perm, read: true, write: false) ⇒ Object

the default chunk size of 48000 for OpenFile is not compatible when signing is enabled (and with some nt4 implementations) cause it looks like MS windows refuse to sign big packet and send STATUS_ACCESS_DENIED fd.chunk_size = 500 is better


196
197
198
# File 'lib/msf/core/exploit/smb/client.rb', line 196

def smb_open(path, perm, read: true, write: false)
  self.simple.open(path, perm, datastore['SMB::ChunkSize'], read: read, write: write)
end

#smb_peer_lmObject

This method returns the native lanman version of the peer


181
182
183
184
185
186
# File 'lib/msf/core/exploit/smb/client.rb', line 181

def smb_peer_lm
  unless self.simple.negotiated_smb_version == 1
    print_warning("peer_native_lm is only available with SMB1 (current version: SMB#{self.simple.negotiated_smb_version})")
  end
  self.simple.client.peer_native_lm
end

#smb_peer_osObject

This method returns the native operating system of the peer


173
174
175
176
177
178
# File 'lib/msf/core/exploit/smb/client.rb', line 173

def smb_peer_os
  unless self.simple.negotiated_smb_version == 1
    print_warning("peer_native_os is only available with SMB1 (current version: SMB#{self.simple.negotiated_smb_version})")
  end
  self.simple.client.peer_native_os
end

#smb_srvsvc_netshareenumallObject

Retrieve a list of shares via the NetShareEnumAll function in the Server Service


747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
# File 'lib/msf/core/exploit/smb/client.rb', line 747

def smb_srvsvc_netshareenumall
  shares = []
  simple.connect("\\\\#{rhost}\\IPC$")
  handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
  begin
    dcerpc_bind(handle)
  rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
    vprint_error(e.message)
    return []
  end

  stubdata =
    NDR.uwstring("\\\\#{rhost}") +
    NDR.long(1)  #level

  ref_id = stubdata[0,4].unpack("V")[0]
  ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")

  stubdata << ctr
  stubdata << NDR.align(ctr)
  stubdata << ["FFFFFFFF"].pack("H*")
  stubdata << [ref_id + 8, 0].pack("VV")
  response = dcerpc.call(0x0f, stubdata)
  res = response.dup
  win_error = res.slice!(-4, 4).unpack("V")[0]

  if win_error != 0
    raise RuntimeError, "Invalid DCERPC response: win_error = #{win_error}"
  end

  # Remove unused data
  res.slice!(0,12) # level, CTR header, Reference ID of CTR
  share_count = res.slice!(0, 4).unpack("V")[0]
  res.slice!(0,4) # Reference ID of CTR1
  share_max_count = res.slice!(0, 4).unpack("V")[0]

  if share_max_count != share_count
    raise RuntimeError, "Invalid DCERPC response: count != count max (#{share_count}/#{share_max_count})"
  end

  # ReferenceID / Type / ReferenceID of Comment
  types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]}

  share_count.times do |t|
    length, offset, max_length = res.slice!(0, 12).unpack("VVV")
    if offset != 0
      raise RuntimeError, "Invalid DCERPC response: offset != 0 (#{offset})"
    end

    if length != max_length
      raise RuntimeError, "Invalid DCERPC response: length !=max_length (#{length}/#{max_length})"
    end
    name = res.slice!(0, 2 * length).gsub('\x00','')
    res.slice!(0,2) if length % 2 == 1 # pad

    comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")

    if comment_offset != 0
      raise RuntimeError, "Invalid DCERPC response: comment_offset != 0 (#{comment_offset})"
    end

    if comment_length != comment_max_length
      raise RuntimeError, "Invalid DCERPC response: comment_length != comment_max_length (#{comment_length}/#{comment_max_length})"
    end

    comment = res.slice!(0, 2 * comment_length)

    res.slice!(0,2) if comment_length % 2 == 1 # pad

    name    = Rex::Text.to_ascii(name).gsub("\x00", "")
    s_type  = smb_lookup_share_type(types[t])
    comment = Rex::Text.to_ascii(comment).gsub("\x00", "")

    shares << [ name, s_type, comment ]
  end

  shares
end

#smb_srvsvc_netsharegetinfo(share) ⇒ Object

Retrieve detailed share dinformation via the NetShareGetInfo function in the Server Service


685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
# File 'lib/msf/core/exploit/smb/client.rb', line 685

def smb_srvsvc_netsharegetinfo(share)
  shares = []
  simple.connect("\\\\#{rhost}\\IPC$")
  handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
  begin
    dcerpc_bind(handle)
  rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
    vprint_error(e.message)
    return []
  end

  stubdata =
    NDR.uwstring("\\\\#{rhost}") +
    NDR.wstring(share) +
    NDR.long(2)

  response = dcerpc.call(0x10, stubdata)

  if ! response
    raise RuntimeError, "Invalid DCERPC response: <empty>"
  end

  head = response.slice!(0, 40)
  if head.length != 40
    raise RuntimeError, "Invalid DCERPC response: not enough data"
  end

  share_info = {
    share_type: head[12, 4].unpack('V').first,
    permissions: head[20, 4].unpack('V').first,
    max_users: head[24, 4].unpack('V').first,
  }

  idx = 0

  [:share, :comment, :path, :password].each do |field|
    field_info = response[idx, 12].unpack("V*")
    break if field_info.length == 0
    idx += 12

    field_text = response[idx, field_info.first * 2]
    share_info[ field ] = field_text.gsub("\x00", '')
    idx += (field_info.first * 2)
    idx += (idx % 4)
  end

  share_info
end

#smbhostObject


212
213
214
215
216
217
218
# File 'lib/msf/core/exploit/smb/client.rb', line 212

def smbhost
  if domain == "."
    "#{rhost}:#{rport}"
  else
    "#{rhost}:#{rport}|#{domain}"
  end
end

#splitname(uname) ⇒ Object


233
234
235
236
237
238
239
240
# File 'lib/msf/core/exploit/smb/client.rb', line 233

def splitname(uname)
  if datastore["PRESERVE_DOMAINS"]
    d,u = domain_username_split(uname)
    return u
  else
    return uname
  end
end

#unicode(str) ⇒ Object

Convert a standard ASCII string to 16-bit Unicode


141
142
143
# File 'lib/msf/core/exploit/smb/client.rb', line 141

def unicode(str)
  Rex::Text.to_unicode(str)
end